Suggestion to fight forum spam

Could you not run a regex on thread titles and silently* fail to post when the thread title contains a pattern that matches "1-800-xxx-xxxx"? This should easily cut down on a large proportion of the spam.

I've been on forums that do this and I have to say it's very hard to do well. The trouble is it becomes a game of whack-a-mole. Every time you block a pattern, the spammers quickly adapt. Even if you do a silent block (I guess they figure it out by trial and error). So you keep blocking more patterns and spammers keep coming up with new ones and before long your genuine users are getting frustrated that half of their new topics are getting blocked by this system.

If there were an easy fix then spam wouldn't be such a problem across the web. The only thing I've seen work semi-reliably is to manually whitelist new topics and/or users but obviously that comes with downsides that rule it out for many sites.

That's like saying "cow" in response to me asking you what time it is. CN has nothing to do with anything here; one of the biggest negotiated points of the Ars acquisition in 2008 was that Ars maintains total autonomy when it comes to anything resembling IT, including developers, hosting, infrastructure, and design. CN couldn't assist with coding up a phpbb plugin even if we wanted them to. We'd have to source a statement of work to them and do it as a giant contractual engagement. The money & time that doesn't exist to budget & scope & execute a phpbb add-on internally also doesn't exist to do those exact same things for an external resource.

Besides, the other CN properties are all migrating to a new custom CMS called Copilot. If we did have the resources to try to scope an IT engagement and get some dev work done by them, they'd likely laugh in our faces and tell us they'd be happy to help us as soon as we drop our independence and convert to Copilot like literally every other brand in the building.

I've been on forums that do this and I have to say it's very hard to do well. The trouble is it becomes a game of whack-a-mole. Every time you block a pattern, the spammers quickly adapt.

I agree, it would quickly become a game of whack-a-mole, but it would certainly be a slower paced game than the current one of trying to delete the dozens of spam posts we get daily before a new one pops up pushing all the legitimate posts off the first page.

I'm happy you're at least open to the community coming up with a plugin. If I can find the time (not likely any time soon), I will do it.

As an aside, I can't believe it's been almost a decade since Conde Nast bought Ars. Feels like just yesterday. I guess that's a testament to how true to its roots the staff have managed to keep the site. I certainly feel like the site has changed (feels like the pace is accelerating), but it's still the Ars I've known and loved for a long time (I've been a reader of Ars long before I registered for the forums).

Oh, yeah, the short-lived cookies on the admin control panel are hard coded into phpbb. The thinking—and it's correct—is that the inconvenience of having to take ~0.5 seconds to re-enter your password is far outweighed by the security risk of having god-power logins persist for too long. Protects against stolen hardware, forgetful logins on public computers, and laptops/phones left unlocked where they shouldn't be.

Definitely working as intended, #wontfix.

I have to log into like 6 things every AM (ars front page, ars cms, slack, parsely, google mail & docs in 2 browsers, slack). It's not inconvenient. I press the password manager button and it logs me in. On a few of those logins I have to generate TOTP 2FA codes. That takes another 3-5 seconds. Big deal. Besides, you should be dumping all your cookies every time you close your browser anyway, unless you just love the idea of being a ginormous advertising data point.

If you're finding it inconvenient to re-auth to the admin panel—if it takes more than a half-second to do—you're doing it wrong.

I enter my O365 password multiple times a day in the admin panel because the idle logout can't be more than 20 minutes.

I was thinking of pattern matching as a solution, but if phpBB can't do that, then I really don't know how to combat all this silly spam at this point beyond harsh post count requirements for the forums, but then that'll just move the spam to the front page.

Yeah, but the latest bunch are at least somewhat predictable. For example, they get started in Windows Tech Mojo about 0730 my time each day. When I log on about 0830 or so I go straight there and find 8 or 10 spams.